Bridging: Where did forwarding-protocols go on 3.x ?

slyoldfox · May 8, 2009, 2:34pm

I am setting up a bridge between two networks and I have the feeling it’s working. When look in the arp table on one side of the network, I can see that the MAC address of the station on the other side of the bridge is correct. Also when I look in

[admin@routeros] /interface bridge> host print

I do see MAC addresses of both sides.

Now I cannot use icmp or ip to reach the other subnet. I found:

[admin@MikroTik] interface bridge> print
Flags: X - disabled, R - running
1 X name=“bridge2” mtu=1500 arp=enabled mac-address=00:00:00:00:00:00
forward-protocols=ip,arp,appletalk,ipx,ipv6,other priority=1

In a 2.7 documentation, so I assumed I am not forwarding the protocols I’m needing, however I am on 3.23 and this options is not there anymore.
Does anybody know what could be wrong if arp does its job but other protocols are not correctly bridged ?

Tnx

JJCinAZ · May 8, 2009, 3:54pm

You didn’t post enough details of your config for anyone to be able to help.

slyoldfox · May 8, 2009, 4:47pm

Here are some of the configs, basically it’s an openvpn server (192.168.2.240) which i’m trying to bridge with the LAN 192.168.2.0/16

You will see that the ovpn-test is put in the bridge automatically and that the hosts on both sides seem to be correct, I just cannot figure out why the IP traffic does not pass over it, if you need any more configs just let me know which ones, tnx for looking at this. Version is 3.23 btw.

[admin@arne] /interface bridge> print
Flags: X - disabled, R - running
0 R name=“vpn-bridge” mtu=1500 arp=enabled mac-address=00:03:FF:08:C1:C2 protocol-mode=none priority=0x8000 auto-mac=yes
admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m

BRIDGE MAC-ADDRESS vpn-bridge 00:03:FF:00:5E:A7 LAN vpn-bridge 00:03:FF:01:5E:A7 LAN vpn-bridge 00:03:FF:02:5E:A7 LAN vpn-bridge 00:60:16:03:CD:15 LAN vpn-bridge 00:60:16:03:DA:D3 LAN vpn-bridge 02:FF:1D:03:42:8D LAN L vpn-bridge 00:03:FF:08:C1:C2 LAN vpn-bridge 00:03:FF:0A:5E:A7 LAN vpn-bridge 00:03:FF:0C:C1:C2 LAN vpn-bridge 00:03:FF:0F:C1:C2 LAN vpn-bridge 00:1D:09:13:D8:43 LAN vpn-bridge 00:FF:E5:13:0C:92 LAN vpn-bridge 00:03:FF:17:5E:A7 LAN vpn-bridge 00:03:FF:1D:5E:A7 LAN vpn-bridge 00:18:39:21:CE:3C LAN vpn-bridge 00:03:FF:2E:5A:EA LAN vpn-bridge 00:14:85:2F:5A:BE LAN vpn-bridge 00:14:85:2F:5A:E8 LAN vpn-bridge 00:14:85:2F:5A:EA LAN vpn-bridge 00:1E:4F:30:33:04 LAN vpn-bridge 00:1E:4F:30:2B:51 LAN vpn-bridge 00:1E:4F:30:32:E1 LAN vpn-bridge 00:0C:F6:31:4B:55 LAN vpn-bridge 08:00:37:33:78:23 LAN vpn-bridge 00:18:8B:34:04:A8 LAN vpn-bridge 00:13:72:50:93:64 LAN vpn-bridge 00:14:22:55:69:44 LAN vpn-bridge 00:06:5B:55:37:0F LAN vpn-bridge 00:FF:6E:57:9F:9A LAN vpn-bridge 00:13:11:58:95:C2 LAN vpn-bridge 00:03:FF:5D:93:65 LAN vpn-bridge 00:03:FF:5D:93:66 LAN vpn-bridge 00:13:72:5F:48:39 LAN vpn-bridge 00:13:72:5F:49:4A LAN vpn-bridge 00:FF:2A:64:B5:C8 LAN vpn-bridge 00:07:5F:71:B1:32 LAN vpn-bridge 00:12:3F:74:EA:AB LAN L vpn-bridge FE:2F:3B:7C:24:8B vpn-bridge 00:18:8B:7F:B0:9A LAN vpn-bridge 00:1D:09:AC:E5:1C LAN vpn-bridge 00:14:22:B0:F9:79 LAN vpn-bridge 00:1E:4F:B5:9D:6C LAN vpn-bridge 00:1E:4F:B5:9D:6E LAN vpn-bridge 00:FF:87:BF:C4:5E vpn-bridge 00:30:B8:CA:C8:30 LAN vpn-bridge 00:1E:C9:D0:6E:8D LAN vpn-bridge 00:11:43:D4:47:E9 LAN ON-INTERFACE AGE
21s
2m28s
7s
1m36s
4m22s
6s
0s
3m19s
17s
17s
0s
2s
1m1s
3s
7s
9s
4s
0s
4m11s
8s
50s
2m50s
3s
27s
35s
0s
11s
1s
7s
10s
0s
11s
3m1s
27s
54s
10s
0s
0s
4m29s
0s
21s
1s
7s
2s
2s
10s
11s

[admin@arne] > ip address print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK BROADCAST INTERFACE

0 192.168.2.240/32 192.168.0.0 192.168.255.255 vpn-bridge
1 212.123.11.220/26 212.123.11.192 212.123.11.255 DMZ-212
2 D 192.168.2.240/32 192.168.2.250 0.0.0.0

[admin@arne] > interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic

INTERFACE BRIDGE PRIORITY PATH-COST HORIZON

0 LAN vpn-bridge 0x80 10 none
1 D vpn-bridge 0x80 10 none

[admin@arne] > ppp profile print
Flags: * - default
0 * name=“default” use-compression=default use-vj-compression=default use-encryption=default only-one=default change-tcp-mss=yes

1 * name=“default-encryption” local-address=192.168.2.240 remote-address=VPNPool bridge=vpn-bridge use-compression=default
use-vj-compression=default use-encryption=yes only-one=default change-tcp-mss=yes dns-server=192.168.2.30 wins-server=192.168.2.30

JJCinAZ · May 8, 2009, 4:55pm

Ah, OpenVPN interface in the bridge – totally different story. I’ve never used an OpenVPN tunnel into a bridge for layer-2 connectivity so I can’t help. Maybe someone else has done that. You could use an EoIP tunnel encrypted with IPSEC or OpenVPN.

changeip · May 8, 2009, 5:14pm

your bridge is 1500 MTU … what about your OpenVPN tunnel? Not sure if it can do that like L2TP can.

slyoldfox · May 8, 2009, 6:32pm

Yah it’s at 1500. Should “in theory” this setup be working or is there anything logically wrong somewhere?

JJCinAZ · May 10, 2009, 6:12pm

Why is the address 192.168.2.240/32 showing up on both the vpn-bridge interface and on the open-vpn interface? I know the dynamic one from the open-vpn interface was assigned via the profile, but it would seem to me that you don’t want the duplicate addresses. I don’t think that should affect the layer-2 performance of the bridge, but I don’t know what tests you’ve been running so maybe you have a red herring.

changeip · May 10, 2009, 7:05pm

Good point JJCinAZ. That static IP should not be there.

Also, shouldn’t his bridge MAC be something other than a VirtualPC machines ? If there is no real ethernet NIC bridged in there you might need one of those dummy MAC addresses. 00:03:FF is ‘MS Virtual Servers’ and it probably rotating around depending on which machine is talking on the bridge. I don’t remember if I really ever got mine working without a physical nic bridged in as well…

JJCinAZ · May 11, 2009, 3:57am

The bridge should pick up the mac address of the lowest running interface in the bridge. As long as its not zero, not all ones and not duplicated elsewhere it should be okay (there are minor exceptions to that). He really needs to switch to something like an EoIP tunnel instead of the OpenVPN tunnel to eliminate the OpenVPn part as a problem.

slyoldfox · May 11, 2009, 7:40am

Just to clarify on the 192.168.2.240 part, indeed it’s there twice, one as the local address for the profile and once as the LAN ip for the interface.

If followed this wiki to configure the bridge:
http://wiki.mikrotik.com/wiki/OpenVPN#Bridge_mode with a “minor” change that this guide says:

/ppp profile add change-tcp-mss=default comment=“” bridge=vpn-bridge
name=“your_profile” only-one=default remote-address=ovpn-pool
use-compression=default use-encryption=required use-vj-compression=default

However with no local-address specified, openvpn will terminate with “no remote address available”

Since we virtualize “almost” everything, yes the routerOS is in a bridge on Virtual Server 2005 R2 - too bad this doesn’t give me the option to bridge with a fysical interface.

For the EoIP tunnel I need two routerOS to test on both sides I assume, I’ll see if I can get that setup (first time trying EoIP, sorry)

Tnx for the input so far!